Technology Lab —

Microsoft: Google Chrome Frame makes IE less secure

The release of Google Chrome Frame, a new open source plugin that injects Chrome's renderer and JavaScript engine into Microsoft's browser, earlier this week had many web developers happily dancing long through the night. Finally, someone had found a way to get Internet Explorer users up to speed on the Web. Microsoft, on the other hand, is warning IE users that it does not recommend installing the plugin. What does the company have against the plugin? It makes Internet Explorer less secure.

"With Internet Explorer 8, we made significant advancements and updates to make the browser safer for our customers," a Microsoft spokesperson told Ars. "Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attach area for malware and malicious scripts. This is not a risk we would recommend our friends and families take." The spokesperson also referred us to the latest phishing and malware data from NSS Labs, the same security company that found IE8 was the most secure browser in August 2009 via two Microsoft-sponsored reports.

Some of the points Microsoft makes in its statement are controversial, though it's not all simple PR talk. Plugins and add-ons are definitely a huge security issue; they usually remain unpatched longer than most and often end up doing more damage than vulnerabilities in the actual browser. As for IE + Google Chrome Frame potentially allowing for double the damage because the browser mutant would be open to a wider range of attacks, we're going to have to call foul. Somehow we doubt there is a significant amount of malware specifically targeting Chrome, and for whatever exists, we're pretty sure most would fail when encountering IE + Google Chrome Frame. These Web attacks would be written to be able to circumvent Chrome's security measures and would simply not expect Internet Explorer's security layers.

What about the part about Chrome having security issues in particular? Soon after Chrome was first released in September 2008, vulnerabilities were discovered and loudly trumpeted. The new browser was quickly labeled insecure days after it was made available, and remained so until a patched version was released.

After that though, Google made sure to stay on top of things, and it has paid off. In March 2009, for example, Chrome was the only browser left standing after day one of the famous Pwn2Own contest, where security researchers competed to exploit vulnerabilities in web browsers, while Firefox, Safari, and Internet Explorer were all successfully compromised. Microsoft argues that Chrome only remained unscathed because nobody attempted to exploit it, but the fact remains that none of the researchers had vulnerabilities for Chrome in mind before going into the contest.

Also, Swiss security researchers concluded in May 2009 that people who use Firefox or Chrome are more likely to be running the latest version of the software when compared against Safari and Opera users due to their auto-update mechanisms which require less user interaction. Internet Explorer wasn't even mentioned in the study, though we know that it relies on Windows Update and doesn't have an automatic built-in updater.

Finally, and possibly most importantly, Chrome has a market share that is easily 20 times smaller than Internet Explorer's. Even if Google reaches its 10 percent market share goal, Internet Explorer would still be six times more widely used. Microsoft doesn't like to admit it, but the fact is that market share is a disadvantage when it comes to security. It's just more profitable for the bad guys aim for the largest crowd of marks.

Google made a point to say that its plugin brings some security features to Internet Explorer. "Accessing sites using Google Chrome Frame brings Google Chrome's security features to Internet Explorer users, providing strong phishing and malware protection (absent in IE6), robust sandboxing technology, and defenses from emerging online threats that are available in days rather than months," a Google spokesperson told Ars.

While Microsoft's jabs at Chrome were a bit over the top, its points about Internet Explorer 8's security are solid. The browser has great phishing and malware protection built-in, and is overall miles ahead of its predecessors. That said, even if Microsoft claims that IE8 is more secure than Chrome, and it did in June 2008, the fact remains that Google didn't just release the plugin for IE8. It works in IE6 and IE7 as well. These old browser versions are much less secure, especially in comparison to IE8 and Chrome 3. In August 2009, Redmond confirmed that while it would continue to push IE6 and IE7 users to upgrade their browsers, it wasn't going to make the decision for them anytime soon.

For all these reasons, we don't believe that Microsoft is in a position to say that Google Chrome Frame is an unsafe choice. We do, however, understand where the software giant is coming from.

"Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attach area for malware and malicious scripts. This is not a risk we would recommend our friends and families take."

They should say that to Adobe Flash, Java, and Windows Live Toolbar first, hypocrites...

"Somehow we doubt there is a significant number of malware specifically targeting Chrome, and for those few that are, we're pretty sure most would fail when encountering IE + Google Chrome Frame. These Web attacks would be written to be able to circumvent Chrome's security measures and would simply not expect Internet Explorer's security layers. "

That doesn't sound like a valid argument to me. Security does not have to do with the percentage of malware written to it or obscurity.

But I agree that the argument from MS does not hold water. If it did they should not have build functionality to allow extensions

Since this is targeted at the groups of people that are still stuck with IE6 for whatever silly reason I cant imagine a plugin that helps IE run part of one of the most secure browsers around would really be a threat. In fact I would assume it would be the opposite.

But hey, that is just logic speaking....

I like how they say it has the potential to "doubled the attach area for malware" which seems to mean that they are adding all IE's existing vulnerabilities plus any Chrome might have *rolls eyes!*

Guess we'll just have to sit this one out until Google responds....I doubt they would seriously target something as an enterprise solution and not even consider security. Cmon!

LOL I totally agree with Ms you shouldn't use the Google Chrome plugin but Google Chrome itself. The IE UI sucks and has gotten progressively worse. So why use it? Chrome is an excellent browser and just a mouseclick away. (Or Firefox if you have to)

Originally posted by dreemernj:Any word on if Google Chrome Frame does the automatic calls home like Chrome does?

Don't spread FUD like this. Chrome does not "Phone Home" in any reasonable sense. It's communication back to Google (or, technically, your default search engine) is used only to provide autocomplete suggestions when searching from the address bar. In that regard it sends no more information than searching on Google directly. (or Bing or Yahoo for that matter)

If you want to complain about Chrome, go bemoan it's lack of extensions. Even if it's petty it's at least a valid point.

As someone stuck (at work) using IE6 for a long time, and now just recently getting IE7, this would seem to be a godsend... BUT, under security policies I have no control over, I can't install any other browsers, nor plugins. None. At all.The insane irony is the newer versions of browsers are typically more secure, IE included, yet the 'secure' decision is to stay on the older version way WAY too long.

Carping about my (hopefully rare) situation aside, this is a great idea, and while M$ has a point, I'm glad they've not gone any further than just giving a warning (obviously, attempting to block this plugin would generate quite nasty blowback). The 'friends and family' they speak of generally need all the protection they can get, given their propensity for flagrantly unsafe browsing. Those who understand the risks, and surf carefully should be at no more risk than with anything else.

The mere fact that there is even a 'Chrome Frame' in the first place makes Microsoft look bad as it is anyway. IE is becoming in some senses marginalised, especially to every day users who have control over what they can do with their machines. Those with choices.

It's a shame that corporate users don't have it so lucky. Things will change though. Businesses will at the end of the day realise the advantages of open HTML5 standards and API's. ActiveX will be seen to be a failure in comparison, and if they want to play they will have to adapt, slowly probably. The Web and it's evolution will carry on with or without IE. Personally I'd like to see it without IE. I've yet to be convinced by Microsoft.

The difference between Chrome which is very fast and IE8 which is okay, is so small its irrelevant compared to your connection speed. I use FF its not as fast but has the feature i want. Chrome sometimes runs very slow on some webpages so I'm not sure overall its faster than anything.

Oh, and you should also ban anyone still using IE6 from accessing the internet with a patch to block the connection if it's still installed. This would help us web designers greatly, instead of trying to cater to the 20% of those still using this piece of crap.

The more I think about it, the better my ultimate solution is: Get out of the web browser business completely and leave it to the experts who want a standardized set of rules.

For many of us developers this is more for IE 6 than IE 8. The HTML 5 stuff is important, but not necessarily crucial just yet. For me, and what I think the company I work for might use this for, is IE 6. If we can make it so a person with IE 6 needs this, then we've just saved ourselves a significant amount of time troubleshooting a debugging. Of course there are limitations to this as it still is a plugin, but it might make sense with IE 6's declining share.

Originally posted by wellofsouls:"Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attach area for malware and malicious scripts. This is not a risk we would recommend our friends and families take."

They should say that to Adobe Flash, Java, and Windows Live Toolbar first, hypocrites...

Actually, I think Emil really missed the focus here: phishing and malware delivered via social engineering. This is *significantly* more effective and popular than technical exploits, and the NSS findings indicate that IE8 is *much* better at blocking sites that phish or try to distribute malware via social engineering.

Emil basically ignores this, which is curious, since it's pretty clearly the basis for MS's argument. If there are issues with the findings, then please point them out.

Originally posted by nehalem:For many of us developers this is more for IE 6 than IE 8. The HTML 5 stuff is important, but not necessarily crucial just yet. For me, and what I think the company I work for might use this for, is IE 6. If we can make it so a person with IE 6 needs this, then we've just saved ourselves a significant amount of time troubleshooting a debugging. Of course there are limitations to this as it still is a plugin, but it might make sense with IE 6's declining share.

Absolutely. IE6 is the weakest link, so currently it's holding back web dev. If just IE6 would die, even if IEs 7 and 8 were still used, it would help substantially. (Although IE7 stinks too.)

Originally posted by nehalem:For many of us developers this is more for IE 6 than IE 8. The HTML 5 stuff is important, but not necessarily crucial just yet. For me, and what I think the company I work for might use this for, is IE 6. If we can make it so a person with IE 6 needs this, then we've just saved ourselves a significant amount of time troubleshooting a debugging. Of course there are limitations to this as it still is a plugin, but it might make sense with IE 6's declining share.

Absolutely. IE6 is the weakest link, so currently it's holding back web dev. If just IE6 would die, even if IEs 7 and 8 were still used, it would help substantially. (Although IE7 stinks too.)

"Given the security issues with plugins in general and Google Chrome in particular, Google Chrome Frame running as a plugin has doubled the attach area for malware and malicious scripts."

Uh, what? Chrome Frame is implemented as a standard BHO - if Microsoft thinks this is insecure, then that's the fault of their own plugin platform, not Chrome. And what malware out there targets Chrome anyway? Is there even any?

It's not Microsoft's problem. They've released two versions of IE since IE6. The problem is IE6 entrenchment in corporate culture. At my company (Fortune 250), IE6 is the standard. IT doesn't want to roll out IE6 to 10,000 PC's, so for the time being, our executives have IE6, so that's what we have to support as our PRIMARY browser, even though our traffic from IE6 has dropped to ~10%.

FWIW, I cannot imagine a scenario in which someone with IE7 or IE8 would need the ChromeFrame. Business just isn't done with HTML5.

Originally posted by funkatron:Actually, I think Emil really missed the focus here: phishing and malware delivered via social engineering. This is *significantly* more effective and popular than technical exploits, and the NSS findings indicate that IE8 is *much* better at blocking sites that phish or try to distribute malware via social engineering.

Emil basically ignores this, which is curious, since it's pretty clearly the basis for MS's argument. If there are issues with the findings, then please point them out.

Don't the phishing filters just check URLs against blocklists or at the most use some logic to detect common URL tricks? I don't think a new rendering engine would affect this.

"Finally, someone had found a way to get Internet Explorer users up to speed on the Web"

What a lame comment. I use IE because it works well for me. Generally I have moved away from Google technology becuase they do a poor job with their UI. Google Earth is a good example of poor Google work. As far as the plugin goes, only the clueless will take Google's word for its quality before is has a long history of use. As far as Microsoft's claim about the potential for security issues, the reasonable assumption is that they are right until proven otherwise. The kind of plugin that Google is supplying has to be complicated. Google's programmers are no better than anyone elses. Programmers leave bugs that cause security problems. If you want Chrome, get Chrome. One wonders whether Ermil's problem is just credulity or whether he is getting something from Google PR department for such a lame comment.

Originally posted by funkatron:Actually, I think Emil really missed the focus here: phishing and malware delivered via social engineering. This is *significantly* more effective and popular than technical exploits, and the NSS findings indicate that IE8 is *much* better at blocking sites that phish or try to distribute malware via social engineering.

Emil basically ignores this, which is curious, since it's pretty clearly the basis for MS's argument. If there are issues with the findings, then please point them out.

This.

But hey, obscure browsers and Macs are immune to phishing attacks, right?

@Toji - Stop calling Chrome's phone home fud. Just what the hell do you think is meant by "phone home"? It's making a connection from home (browser) to google automatically, many times, and without user interaction. After all, seeing as it follows proxies and provides a unique address for the user (to distinguish identities), it could be used for many purposes, most useful to law enforcement in tracking down ip usage of a user (same browsing session using multiple ip's, yet the same phone home id, hm....). Chrome's browser even goes as far as sends computer name and usernames with this. The worry of these phone home features are not as far fetched as you're trying to portray. @all - Now, everyone else. Microsoft has a point as this takes away features from IE's XSS filter. Yes, Chrome's xss filter is a lot worse than IE's (wohoo new cf uri to play with!). As much as everyone hates Microsoft and tries to tell everyone how insecure they are, IE8 has an amazing xss filter. HOWEVER, Chrome frame does use Chrome's sandboxing features, so this idea about more problems with "malware" propagation are rather ridiculous. Using it on older IE's would offer them more security, as well, thanks to this sandbox. So what do we have? Less secure low-level xss type attacks, but better defense against malware (before IE8). Microsoft chose the wrong words in the battle.

Originally posted by dreemernj:Any word on if Google Chrome Frame does the automatic calls home like Chrome does?

Don't spread FUD like this. Chrome does not "Phone Home" in any reasonable sense. It's communication back to Google (or, technically, your default search engine) is used only to provide autocomplete suggestions when searching from the address bar. In that regard it sends no more information than searching on Google directly. (or Bing or Yahoo for that matter)

If you want to complain about Chrome, go bemoan it's lack of extensions. Even if it's petty it's at least a valid point.

It was a question, not a complaint. And it is something different from what you are describing here.

The phone home I am referring to is a hash mark that somehow identifies the version of Chrome you're using, where you downloaded it from, and when you downloaded it. It sends this only to Google.

Chrome transmits this hash to Google once a day on its own or when you do a Google search from the address bar.

The question was simply if it still does this. Save your fanboy rage for actual insults to the browser.

Originally posted by dnjake: As far as Microsoft's claim about the potential for security issues, the reasonable assumption is that they are right until proven otherwise. The kind of plugin that Google is supplying has to be complicated. Google's programmers are no better than anyone elses. Programmers leave bugs that cause security problems.

Since when is it a reasonable assumption to believe the person with a vested interest instead of a logical argument?

Emil's argument was pretty logical; Chrome is secure and the extra layer of Chrome running in IE should only make some known chrome exploits potentially fail thereby adding an extra layer of security. I don't know why this line of reasoning is so hard for you to understand and why you make ridiculous accusations rather than arguing his point.

Microsoft, get your act together once and for all before babbling non-sense. Silverlight is also an addon right like Chrome Frame. Doesn't that make IE less secure? Silverlight encompasses an even greater degree of functionality, so it has the largest attack area.

Do security zone settings still apply to Chrome Frame? If IE is set to disable Javascript in the internet zone will Chrome Frame's javascript engine honor this and block the execution of javascript code? If the answer is no I can understand (and agree with) Microsoft's claim. Chrome Frame may be a BHO but in this case it replaces far more than your typical BHO; parts of the browser which are normally protected by security zone settings.

Conversely, if it still honors all security zone policies than this is just Microsoft sour grapes.

<quote>Chrome has a market share that is easily 20 times smaller than Internet Explorer's</quote>

What does this sentence even mean? This makes no grammatical sense what so ever. Does the author mean that Chrome has a market share that is easily less than one-twentieth the size of Internet Explorer's?

Chrome has a market share that is easily 20 times smaller than Internet Explorer's

What does this sentence even mean? This makes no grammatical sense what so ever. Does the author mean that Chrome has a market share that is easily less than one-twentieth the size of Internet Explorer's?